INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
|
|
- Felicity Wilson
- 5 years ago
- Views:
Transcription
1 INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S Subject Name Foundations of Cryptography Department / Center of the Student Additional sheets Important Instructions and Guidelines for Students 1. You must occupy your seat as per the Examination Schedule/Sitting Plan. 2. Do not keep mobile phones or any similar electronic gadgets with you even in the switched off mode. 3. Loose papers, class notes, books or any such materials must not be in your possession, even if they are irrelevant to the subject you are taking examination. 4. Data book, codes, graph papers, relevant standard tables/charts or any other materials are allowed only when instructed by the paper-setter. 5. Use of instrument box, pencil box and non-programmable calculator is allowed during the examination. However, exchange of these items or any other papers (including question papers) is not permitted. 6. Write on both sides of the answer script and do not tear off any page. Use last page(s) of the answer script for rough work. Report to the invigilator if the answer script has torn or distorted page(s). 7. It is your responsibility to ensure that you have signed the Attendance Sheet. Keep your Admit Card/Identity Card on the desk for checking by the invigilator. 8. You may leave the examination hall for wash room or for drinking water for a very short period. Record your absence from the Examination Hall in the register provided. Smoking and the consumption of any kind of beverages are strictly prohibited inside the Examination Hall. 9. Do not leave the Examination Hall without submitting your answer script to the invigilator. In any case, you are not allowed to take away the answer script with you. After the completion of the examination, do not leave the seat until the invigilators collect all the answer scripts. 10. During the examination, either inside or outside the Examination Hall, gathering information from any kind of sources or exchanging information with others or any such attempt will be treated as unfair means. Do not adopt unfair means and do not indulge in unseemly behavior. Violation of any of the above instructions may lead to severe punishment. Signature of the Student To be filled in by the examiner Question Number Total Marks Obtained Marks obtained (in words) Signature of the Examiner Signature of the Scrutineer
2
3 CS60088 Foundations of Cryptography, Spring End-Semester Test 26 April 2016 CSE-107/119/120, 2:00 5:00pm Maximum marks: 60 Roll no: Name: [ Write your answers in the question paper itself. Be brief and precise. Answer all questions. ] 1. Supply brief (one/two-sentence) answers to the following parts. (2 8) (a) What is the computational Diffie Hellman problem in Z p? Solution Given g,g a,g b (mod p), compute the element g ab (mod p). (b) What is the decisional Diffie Hellman problem in Z p? Solution Given g,g a,g b,g c (mod n), decide whether c ab(mod ord p (g)). (c) What is the parity oracle for textbook RSA encryption? Solution A (hypothetical) polynomial-time algorithm that, given the RSA ciphertext c of a message m, returns the least significant bit of m. (d) What is the difference between the security notions CCA and CCA2 for encryption schemes? Solution In CCA, decryption assistance stops after the challenge ciphertext is presented to the attacker. decryption assistance does not stop even after the challenge ciphertext is presented to the attacker. In CCA2, (e) What is adaptive chosen message attack for a digital signature scheme? Solution The adversary gets the victim s signatures on messages chosen by the adversary. (f) Show that RSA signatures are existentially forgeable. Solution For any s Z n, take m s e (mod n). Then, s is a valid RSA signature on m. (g) What is the difference between a zero-knowledge proof and a zero-knowledge argument? Solution In a zero-knowledge proof protocol, the prover is assumed to have unbounded computational resources. In a zero-knowledge argument protocol, the prover is assumed to be bounded (poly-time). (h) Why cannot we take long challenges in the Schnorr identification protocol? Solution To prevent a dishonest verifier from getting Schnorr signatures of the prover on sensitive messages. Page 1 of 7
4 2. Let E be a public-key encryption scheme. Define a public-key encryption scheme E as E pub(m)=e pub (m) H(m), where H is an unkeyed cryptographic hash function. Here, E and E use the same public key pub. (a) Prove or disprove: If E is IND-CPA secure, then E is IND-CPA secure. (4) Solution False. The appended hash value clearly indicates whether m 0 or m 1 was encrypted. The assumption that H(m 0 ) = H(m 1 ) violates the collision-resistance property of H. In any case, the IND-CPA adversary can arrange two messages m 0,m 1 satisfying H(m 0 ) H(m 1 ). (b) Prove or disprove: If E is NM-CPA secure, then E is NM-CPA secure. (4) Solution False. Like Part (a), it is easy to see that E is not IND-CPA secure. Now, use the fact that NM-CPA security implies IND-CPA security (equivalently, IND-CPA insecurity implies NM-CPA insecurity). Page 2 of 7
5 3. Coron s version of RSA-PSS-R padding scheme is shown in the adjacent figure. An RSA modulus n is used. The message m is of bit length k 0, and the random salt r is of bit length k 1. We have n =k 0 +k 1 +k 2 +1 for some k 2. Two hash functions H : {0,1} k 0+k 1 {0,1} k 2 and G : {0,1} k 2 {0,1} k 0+k 1 are used. The padded message is y = 0 u v. The RSA-PSS-R signature on m is s y d (mod n), where (e,d) is the RSA key pair of the signer. Here are the padding computations: m H r r U {0,1} k 1, µ = m r, G u = H(µ), v = G(u) µ y = 0 u v. 0 u v (a) Explain how the message is recovered and verified from an RSA-PSS-R signature s. (4) Solution The padded message is first recovered as y s e (mod n). If the msb of y is not zero, failure is reported. Otherwise, y is decomposed to u and v with u = k 2 and v = k 0 + k 1. Next, µ = G(u) v is computed. If H(µ) u, failure is returned. Otherwise, the first k 0 bits of µ are returned as the recovered message m. We now prove the security of the scheme against adaptive-chosen-message attacks in the random oracle model. Assume that there exists a PPT adversary Vera that, upon signing assistance, can produce a forged RSA-PSS-R signature on some (new) message. The simulator Ronald is a random oracle, and plays the CMA game with Vera to compute η d (mod n) for a random η input to him. (b) Explain how Ronald simulates a signing query from Vera. (4) Solution Let Vera make a signing query on m. Ronald takes s U Z n, and computes y s e (mod n). Ronald repeats until the msb of y is 0, and u does not reside in the G-table of Ronald. Once y (and so u,v) are fixed, Ronald chooses a random k 1 -bit salt r such that m r does not reside in the H-table of Ronald. Ronald then stores H(m r)=u and G(u)=v (m r). Finally, Ronald returns s to Vera. Under these new hash values, s is evidently a valid signature on m. Page 3 of 7
6 (c) Explain how G and H oracle queries are answered by Ronald. (4) Solution A query G(Q) is attended in the usual manner. If Q resides in the G-table, the stored value is returned. Otherwise, a uniformly random k 0 + k 1 -bit string is returned. For a query H(Q), Ronald first looks at his H-table. If the query was made earlier, the stored value is returned. Otherwise, Ronald repeats computing x U Z n, z x e (mod n), and y ηz (mod n) until the msb of y is 0, and the corresponding u does not reside in the G-table. Ronald sets H(Q)=u and G(u)=v Q, remembers x against Q, and returns u to Vera. (d) Explain how Ronald achieves his objective of computing η d (mod n). (4) Solution At the end, Vera produces a valid signature s on some message m. Notice that m was not signed by Ronald. However, the signature corresponds to a salt value r. It is very improbable for Vera to create the forged signature s without knowing H(m r). So with overwhelmingly large probability, Vera has made the query H(m r). Ronald now has u=h(m r), v=g(u) (m r), and y=0 u v. Moreover y zη (mod n), so the forged signature is s y d z d η d xη d (mod n). Since Ronald remembered x in connection with the query H(m r), he can now compute η d x 1 s(mod n). Page 4 of 7
7 4. Alice wants to convince Bob that she can generate valid ElGamal signatures. Let g Z p be an element of large prime order q. Alice s key pair consists of x U Z q (the private key) and y g x (mod p) (the public key). Alice s knowledge of x allows her to generate valid ElGamal signatures. However, to avoid chosen message attacks, she must not use x itself for generating signatures. Commitment Alice chooses t U Z q, and sends t to Bob. Challenge Bob chooses a random message m U Z q, and sends m to Alice. Response Alice chooses k U Z q. She then computes r g k (mod p) and s k 1 (m txr) (mod q). Alice sends (r,s) to Bob. (a) Explain the verification step by Bob. (4) Solution We have m sk+ txr (mod p). g m r s y tr (mod p). So g m (g k ) s (g x ) tr (mod p), that is, Bob accepts Alice if and only if (b) Deduce the completeness and soundness-error probabilities of the protocol. (4) Solution Clearly, if Alice knows x, she can compute the correct response (r,s), so ε = 1. Now, suppose that Alice is a cheating prover. She does not know x. Equivalently, she does not know tx. But then, producing a valid response to a message m chosen by Bob is equivalent to generating an ElGamal signature under the signing key tx. Therefore the soundness-error probability is the same as Alice s probability of forging ElGamal signatures without knowing the signing key. Since the message is chosen by Bob, this is not existential forgery. So under the assumption that ElGamal signatures are secure, the soundness-error probability is negligible. Page 5 of 7
8 (c) Prove the zero-knowledge property of the protocol. (4) Solution An equator uses existential forgery. It chooses t,u,v U Z q (with v 0). It takes r g u y v (mod p). Verification requires g m (g u y v ) s y tr (mod p). So the equator can take vs+tr 0(mod q), that is, s v 1 tr(mod q), and m su v 1 tru(mod q). The equated transcript is t,m,r,s. Page 6 of 7
9 5. A zero-knowledge protocol is called specially sound if the use of the same commitment value in two different runs of the protocol discloses to the verifier (or any eavesdropper) the private input of the prover. (a) Show that the Schnorr identification protocol is specially sound. (4) Solution Let k be the same committal used in two runs of the Schnorr protocol. For two different challenges c 1,c 2, the responses are r 1 k xc 1 (mod q) and r 2 k xc 2 (mod q). Elimination of k gives r 1 +xc 1 r 2 +xc 2 (mod q). Therefore if c 1 c 2 (mod q), we have x (c 1 c 2 ) 1 (r 2 r 1 )(mod q). (b) Is the protocol of Exercise 4 specially sound? (4) Solution No. Here, t is the commitment. Even if it remains the same in two runs, the session secret k is assumed to be different in the two runs. So Bob (or an eavesdropper) sees two ElGamal signatures of Alice under the private key tx(mod q). If Bob gains the knowledge of x, he also knows the private key tx(mod q). But no such attack on the ElGamal signature scheme is known. Of course, if t remains constant in many runs of the protocol, Bob can potentially mount a chosen-message attack which may reveal tx (and so x) to him. But only two runs are believed to be insufficient. However, if both t and k are repeated in two runs, then x is disclosed to Bob. Page 7 of 7
10 Use this space for leftover answers and rough work
11 Use this space for leftover answers and rough work
12 Use this space for leftover answers and rough work
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Autumn ) Roll Number Section Name Subject Number C S 6 0 0 3 5 Subject Name Selected
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 2 1 0 0 2 Subject Name Switching
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Autumn ) Roll Number Section Name Subject Number C S 6 0 0 2 6 Subject Name Parallel
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Autumn ) Roll Number Section Name Subject Number C S Subject Name Programming and Data
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Autumn ) Roll Number Section Name Subject Number C S Subject Name Programming and Data
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 1 0 0 0 1 Subject Name Programming
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Autumn ) Roll Number Section Name Subject Number C S 1 1 0 0 1 Subject Name Programming
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Autumn ) Roll Number Section Name Subject Number C S 1 0 0 0 1 Subject Name Programming
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Autumn ) Roll Number Section Name Subject Number C S 1 0 0 0 1 Subject Name Programming
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationDigital Signatures. Sven Laur University of Tartu
Digital Signatures Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity,
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationThe most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who
1 The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationAPPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1
APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 1 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationOblivious Signature-Based Envelope
Oblivious Signature-Based Envelope Ninghui Li Department of Computer Sciences and CERIAS Purdue University 656 Oval Dr, West Lafayette, IN 47907-2086 ninghui@cs.purdue.edu Wenliang Du Department of Electrical
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More information18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationReminder: Homework 4. Due: Friday at the beginning of class
Reminder: Homework 4 Due: Friday at the beginning of class 1 Cryptography CS 555 Topic 33: Digital Signatures Part 2 2 Recap El-Gamal/RSA-OAEP Digital Signatures Similarities and differences with MACs
More informationI.D. NUMBER SURNAME OTHER NAMES
THE UNIVERSITY OF CALGARY DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS AND STATISTICS FINAL EXAMINATION SOLUTION KEY CPSC/PMAT 418 L01 Introduction to Cryptography Fall 2017 December 19, 2017,
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Exchanging keys and public key encryption Public Key Encryption pk sk Public Key Encryption pk cß Enc(pk,m) sk m Public
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Problem 1 True or False (10 points) Circle True or False. Do not justify your answer. (a) True or False : It is safe (IND-CPA-secure) to encrypt
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017 Name : TU/e student number : Exercise 1 2 3 4 5 6 total points Notes: Please hand in this sheet at the end of the exam.
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationAnonymous Signature Schemes
Anonymous Signature Schemes Guomin Yang 1, Duncan S. Wong 1, Xiaotie Deng 1, and Huaxiong Wang 2 1 Department of Computer Science City University of Hong Kong Hong Kong, China {csyanggm,duncan,deng}@cs.cityu.edu.hk
More informationHomework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08
Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08 1. Signatures and Attacks Recall that to use the ElGamal signature scheme, Alice randomly selects her private signing key x
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationCHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE
68 CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE 4.1 INTRODUCTION This chapter addresses the Verifiable Encryption of Elliptic Curve Digital Signature. The protocol presented is
More informationSecurely Combining Public-Key Cryptosystems
Securely Combining Public-Key Cryptosystems Stuart Haber Benny Pinkas STAR Lab, Intertrust Tech. 821 Alexander Road Princeton, NJ 08540 {stuart,bpinkas}@intertrust.com Abstract It is a maxim of sound computer-security
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security 3/14 Asymmetric cryptography Previously we saw symmetric-key cryptography, where Alice and Bob share a secret key K. However, symmetric-key cryptography can
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationHomework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08
Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08 This homework assignment is due Wednesday, February 13 at the beginning of lecture. Please bring a hard copy to class; either
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationAsymmetric Primitives. (public key encryptions and digital signatures)
Asymmetric Primitives (public key encryptions and digital signatures) An informal, yet instructive account of asymmetric primitives Timeline of the invention of public-key cryptography 1970-1974 British
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationIntroduction to Cryptography Lecture 10
Introduction to Cryptography Lecture 10 Digital signatures, Public Key Infrastructure (PKI) Benny Pinkas January 1, 2012 page 1 Non Repudiation Prevent signer from denying that it signed the message I.e.,
More informationUNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 10 Digital Signatures Israel Koren ECE597/697 Koren Part.10.1 Content of this part
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationDigital Signature. Raj Jain
Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationPassword Authenticated Key Exchange by Juggling
A key exchange protocol without PKI Feng Hao Centre for Computational Science University College London Security Protocols Workshop 08 Outline 1 Introduction 2 Related work 3 Our Solution 4 Evaluation
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationRSA Cryptography in the Textbook and in the Field. Gregory Quenell
RSA Cryptography in the Textbook and in the Field Gregory Quenell 1 In the beginning... 2 In the beginning... Diffie and Hellman 1976: A one-way function can be used to pass secret information over an insecure
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More information